COMPUTER SECURITY AT THE
DRUG ENFORCEMENT ADMINISTRATION

 

Audit Report 97-14, (3/97)

 

 

 

TABLE OF CONTENTS

 

 

EXECUTIVE SUMMARY

FINDINGS AND RECOMMENDATIONS

I. SYSTEM SOFTWARE CONTROLS

Default Settings

Audit Trails

II. COMPUTER SECURITY MANAGEMENT

Personnel Security Controls

Individual Access Controls

Administrative Security Controls

Risk Management

Physical and Environmental Security Controls

III. SECURITY SOFTWARE

STATEMENT ON INTERNAL CONTROLS

STATEMENT ON COMPLIANCE WITH LAWS AND REGULATIONS

APPENDIX I - Objectives, Scope and Methodology, and Background

APPENDIX II - Locations Reviewed

APPENDIX III - DEA Comments on the Audit Recommendations

APPENDIX IV - Office of the Inspector General, Audit Division Analysis and Summary of Actions Taken to Close Report

 

 

EXECUTIVE SUMMARY

Computer security was reported by the Attorney General to the President in 1995 as a high risk area for six Department of Justice components, including the Drug Enforcement Administration (DEA). We found computer security continues to be a high risk at the DEA, as we found in 1989 and the General Accounting Office found in 1992. Our current audit found that:

• Computer default settings and audit trails were not implemented effectively to protect DEA's sensitive computer resources and to detect unauthorized access.

• Computer security management was inadequate because: (1) personnel were not properly cleared, authorized, and trained for access to sensitive computer resources; (2) computer equipment was not properly controlled and safeguarded; (3) risk analyses and contingency plans were not always performed and tested; and (4) visitor access and lock combination change procedures were inadequate to restrict access to sensitive resources.

• Computer security software was not fully utilized to detect and investigate unauthorized access to DEA's sensitive data base applications processed at the Justice Data Center.

Collectively, these weaknesses substantially increase the risks of unauthorized disclosure of sensitive information. These matters are discussed in the findings and recommendations section of the report. Our objectives, scope and methodology, and background information are contained in Appendix I of the report.

#####